FillDisk -- HTML5 permits websites to store considerable data on your local disk. It was originally expected that the browsers would impose a ceiling on this, but IE, Opera, Safari, and Chrome do not. A properly coded HTML5 site can completely fill your hard drive.

Someone somewhere wished s/he could cache the whole Wikipedia to save bandwidth?posted by Iosephus at 4:07 PM on March 1, 2013 [1 favorite]

Not exactly a place you want to visit on your phone. Right before misplacing it for a couple of hours.posted by phaedon at 4:13 PM on March 1, 2013

Hooray for no webkit monoculture.

Umm... IE and Opera? I know Opera is moving to WebKit, but that version hasn't been released yet.posted by sbutler at 4:14 PM on March 1, 2013

Hooray for no webkit monoculture.

WebKit is just rendering. I'm pretty sure it would be possible for Safari to handle this correctly while Chrome didn't, or vice-versa. WebKit ain't the entirety of a browser.posted by GuyZero at 4:28 PM on March 1, 2013 [5 favorites]

Umm... IE and Opera? I know Opera is moving to WebKit, but that version hasn't been released yet"

Opera is moving to WebKit? That's interesting, I wonder what their value proposition will be. Well, I've always kind of wondered about Opera's value proposition, to be honest, but even more now.posted by Joakim Ziegler at 4:28 PM on March 1, 2013 [1 favorite]

If you want some actual information about this, all browsers do have limits on a single domain name. What some browsers have messed up is that they're not counting subdomains of a primary domain towards that primary domain's limit. So it's an easy fix, and it really does take a malicious site to make this happen.posted by Llama-Lime at 4:28 PM on March 1, 2013 [8 favorites]

"Oh hai there... Filling your hard disk with lots of cats...", and Trololololo as background music? That's a great site all by itself, exploit or no.posted by Joakim Ziegler at 4:30 PM on March 1, 2013 [1 favorite]

Opera is moving to WebKit?

Yep. I remember being critical of Apple early on for choosing to branch KHTML for their browser, instead of supporting and integrating Gecko. At the time Gecko was much more feature complete, and I felt that by the time Apple was done beefing up KHTML it would be just as bloated as Gecko.

Obviously I was wrong. Here we are today and WebKit is everywhere, especially in the mobile market. And Gecko has abandoned embedders.posted by sbutler at 4:35 PM on March 1, 2013

I am someone who has money and would like to pay someone to port their browser to my specific hardware platform. Opera tends to get that money. Also, ads.posted by GuyZero at 4:46 PM on March 1, 2013 [2 favorites]

WebKit is just rendering. I'm pretty sure it would be possible for Safari to handle this correctly while Chrome didn't, or vice-versa. WebKit ain't the entirety of a browser.

WebKit has its own scripting engine, called SquirrelFish or Nitro, but Chrome doesn't use it. Chrome has its own, called "V8". The other two major browsers also use their own scripting engines.posted by zixyer at 4:47 PM on March 1, 2013

Also, there may be plenty of legit reasons to think that WebKit is indeed an unhealthy monoculture but this in't one of them.

And that was the hypothetical "I" back there - I don't actually have any money, for anything.posted by GuyZero at 5:07 PM on March 1, 2013 [2 favorites]

Probably much the same as before. To render webpages off-device as they do - via "Opera Turbo", a pretty killer feature if you're on a dodgy network or portable device - they proxy the rendering process and much of the interaction on their own servers. The upshot of that is that they have a fantastic amount of insight into what the Web looks and acts like for mobile users that nobody else has.

The switch to WebKit is probably going to (well, definitely is, I know that) cost them a bunch of really good web-technology developers, but their client-side rendering engine has never been their primary value.posted by mhoye at 5:24 PM on March 1, 2013

So it's an easy fix, and it really does take a malicious site to make this happen.

That's what I meant, though, about "hooray for no webkit monoculture". Misinterpretations or misreadings of the spec have historically had a horrible habit of becoming de-facto standards, broken or not; we've only really emerged from those dark ages in the last two years. What would the cost be, if instead of being the easy fix it is now, a move to fixing it would have happened three years from now and basically broken the web?posted by mhoye at 5:28 PM on March 1, 2013 [1 favorite]

> What would the cost be, if instead of being the easy fix it is now, a move to fixing it would have happened three years from now and basically broken the web?

Because there is no value proposition to you, as a malicious developer, to run sites that fuck trash random computers, unless you have a pretty maladjusted sense of lulz. So the exploit might appear in the wild here and there but doesn't seem likely to propagate in the way a useful security compromise would, even if the latter is more technically difficult.posted by ardgedee at 8:02 PM on March 1, 2013

As threats go, this is awfully minor. Also patching the subdomain loophole really isn't sufficient; an attacker could do the same sort of thing with redirects to new second level domains.posted by Nelson at 8:46 PM on March 1, 2013

Ardgedee, I think the point was that some site might take advantage of this hole in order to allocate two or three times the amount of storage that it's really supposed to, not as a hack but simply because it needs it. If, then, the browsers were all fixed to not permit it, that site would cease working.

Back when Netscape was busy ignoring all the standards and doing whatever the hell it wanted to with Navigator, a fair number of things like that which Nav did but which weren't really correct ended up becoming "standard" in exactly that way.posted by Chocolate Pickle at 9:13 PM on March 1, 2013 [1 favorite]

Opera is moving to WebKit? That's interesting, I wonder what their value proposition will be. Well, I've always kind of wondered about Opera's value proposition, to be honest, but even more now.

There's a lot more to browser software than just the rendering engine. Opera has its own JS engine, plugins/extensions, and other features. Saying it doesn't have a value proposition because it's on webkit is a bit like saying there's no point in using using Apple products now that they're built on Intel hardware.posted by deathpanels at 10:44 PM on March 1, 2013 [1 favorite]

I had to stop using Opera after watching an HTML5 video which pushed it (Opera) into "Kiosk" mode. I just couldn't get it out again! I now use Chrome.posted by JtJ at 3:45 AM on March 2, 2013

The article's claim that Safari has no storage limitations does not gel with my experience. I've been using the Amazon Cloud Reader, and there Safari has dutifully required me to allow the Reader to use more disk space than the standard allowance.posted by bouvin at 9:39 AM on March 2, 2013

It's not a question of not having limits. It's a question of not having an aggregate limit across all sub domains. That Amazon doesn't exploit that is not a sign that Safari is invulnerable.posted by jeffamaphone at 10:11 AM on March 2, 2013

Tags

Share

About MetaFilter

MetaFilter is a weblog that anyone can contribute a link or a comment to. A typical weblog is one person posting their thoughts on the unique things they find on the web. This website exists to break down the barriers between people, to extend a weblog beyond just one person, and to foster discussion among its members.